Скачать презентацию Chapter 9 Security Security n n n Скачать презентацию Chapter 9 Security Security n n n

81ceff2f614fdd67f6b9fe34af00c4e2.ppt

  • Количество слайдов: 65

Chapter 9: Security Chapter 9: Security

Security n n n n The security environment Basics of cryptography User authentication Attacks Security n n n n The security environment Basics of cryptography User authentication Attacks from inside the system Attacks from outside the system Protection mechanisms Trusted systems CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 2

Security environment: threats Goal Threat Data confidentiality Data integrity Denial of service Operating systems Security environment: threats Goal Threat Data confidentiality Data integrity Denial of service Operating systems have goals n n Tampering with data System availability n Exposure of data Confidentiality Integrity Availability Someone attempts to subvert the goals n n Fun Commercial gain CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 3

What kinds of intruders are there? n Casual prying by nontechnical users n n What kinds of intruders are there? n Casual prying by nontechnical users n n Snooping by insiders n n Often motivated by curiosity or money Determined attempt to make money n n Curiosity May not even be an insider Commercial or military espionage n This is very big business! CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 4

Accidents cause problems, too… n Acts of God n n Hardware or software error Accidents cause problems, too… n Acts of God n n Hardware or software error n n Fires Earthquakes Wars (is this really an “act of God”? ) CPU malfunction Disk crash Program bugs (hundreds of bugs found in the most recent Linux kernel) Human errors n n n Data entry Wrong tape mounted rm *. o CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 5

Cryptography n Goal: keep information from those who aren’t supposed to see it n Cryptography n Goal: keep information from those who aren’t supposed to see it n n Use a well-known algorithm to scramble data n n Do this by “scrambling” the data Algorithm has two inputs: data & key Key is known only to “authorized” users Relying upon the secrecy of the algorithm is a very bad idea (see WW 2 Enigma for an example…) Cracking codes is very difficult, Sneakers and other movies notwithstanding CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 6

Cryptography basics n n Algorithms (E, D) are widely known Keys (KE, KD) may Cryptography basics n n Algorithms (E, D) are widely known Keys (KE, KD) may be less widely distributed For this to be effective, the ciphertext should be the only information that’s available to the world Plaintext is known only to the people with the keys (in an ideal world…) KE KD Encryption key E P Plaintext C=E(P, KE) Decryption key D Plaintext Ciphertext Encryption CS 1550, cs. pitt. edu (originaly modified by Ethan P Decryption Chapter 9: Security 7

Secret-key encryption n n Also called symmetric-key encryption Monoalphabetic substitution n n Vignere cipher Secret-key encryption n n Also called symmetric-key encryption Monoalphabetic substitution n n Vignere cipher n n Each letter replaced by different letter Use a multi-character key THEMESSAGE ELMELMELME XSQQPEWLSI Both are easy to break! Given the encryption key, easy to generate the decryption key Alternatively, use different (but similar) algorithms for encryption and decryption CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 8

Modern encryption algorithms n Data Encryption Standard (DES) n n n Uses 56 -bit Modern encryption algorithms n Data Encryption Standard (DES) n n n Uses 56 -bit keys Same key is used to encrypt & decrypt Keys used to be difficult to guess n n Needed to try 255 different keys, on average Modern computers can try millions of keys per second with special hardware For $250 K, EFF built a machine that broke DES quickly Current algorithms (AES, Blowfish) use 128 bit keys n n Adding one bit to the key makes it twice as hard to guess Must try 2127 keys, on average, to find the right one At 1015 keys per second, this would require over 1021 seconds, or 1000 billion years! Modern encryption isn’t usually broken by brute force… CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 9

Unbreakable codes n There is such a thing as an unbreakable code: one-time pad Unbreakable codes n There is such a thing as an unbreakable code: one-time pad n n n Code is unbreakable because n n Use a truly random key as long as the message to be encoded XOR the message with the key a bit at a time Key could be anything Without knowing key, message could be anything with the correct number of bits in it Difficulty: distributing key is as hard as distributing message Difficulty: generating truly random bits n n Can’t use computer random number generator! May use physical processes n n n Radioactive decay Leaky diode Lava lamp (!) [http: //www. sciencenews. org/20010505/mathtrek. asp] CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 10

Public-key cryptography n Instead of using a single shared secret, keys come in pairs Public-key cryptography n Instead of using a single shared secret, keys come in pairs n n n One key of each pair distributed widely (public key), Kp One key of each pair kept secret (private or secret key), Ks Two keys are inverses of one another, but not identical Encryption & decryption are the same algorithm, so E(Kp, E(Ks, M) = E(Ks, E(Kp, M) = M Currently, most popular method involves primes and exponentiation n n Difficult to crack unless large numbers can be factored Very slow for large messages CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 11

The RSA algorithm for public key encryption n Public, private key pair consists of The RSA algorithm for public key encryption n Public, private key pair consists of Kp = (d, n) Ks = (e, n) n n n n = p x q (p and q are large primes) d is a randomly chosen integer with GCD (d, (p-1) x (q-1)) = 1 e is an integer such that (e x d) MOD (p-1) x (q-1) = 1 p & q aren’t published, and it’s hard to find them: factoring large numbers is thought to be NP-hard Public key is published, and can be used by anyone to send a message to the private key’s owner Encryption & decryption are the same algorithm: E(Kp, M) = Md MOD n (similar for Ks) n n n Methods exist for doing the above calculation quickly, but. . . Exponentiation is still very slow Public key encryption not usually done with large messages CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 12

One-way functions n Function such that n n n Often, operate similar to encryption One-way functions n Function such that n n n Often, operate similar to encryption algorithms n n n Given formula for f(x), easy to evaluate y = f(x) Given y, computationally infeasible to find any x such that y = f(x) Produce fixed-length output rather than variable length output Similar to XOR-ing blocks of ciphertext together Common algorithms include n n MD 5: 128 -bit result SHA-1: 160 -bit result CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 13

Digital signatures Original document One-way hash function Hash result encrypted with Ks Digital signature Digital signatures Original document One-way hash function Hash result encrypted with Ks Digital signature Receiver gets n Digital signature computed by n n n Original document Applying one-way hash function to original document Encrypting result with sender’s private key Receiver can verify by n n n Applying one-way hash function to received document Decrypting signature using sender’s public key Comparing the two results: equality means document unmodified CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 14

Pretty Good Privacy (PGP) n Uses public key encryption n n Problem: public key Pretty Good Privacy (PGP) n Uses public key encryption n n Problem: public key encryption is very slow Solution: use public key encryption to exchange a shared key n n n Facilitates key distribution Allows messages to be sent encrypted to a person (encrypt with person’s public key) Allows person to send message that must have come from her (encrypt with person’s private key) Shared key is relatively short (~128 bits) Message encrypted using symmetric key encryption PGP can also be used to authenticate sender n Use digital signature and send message as plaintext CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 15

User authentication n n Problem: how does the computer know who you are? Solution: User authentication n n Problem: how does the computer know who you are? Solution: use authentication to identify n n n Something the user knows Something the user has Something the user is This must be done before user can use the system Important: from the computer’s point of view… n n Anyone who can duplicate your ID is you Fooling a computer isn’t all that hard… CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 16

Authentication using passwords Login: elm Password: foobar Login: jimp User not found! Welcome to Authentication using passwords Login: elm Password: foobar Login: jimp User not found! Welcome to Linux! Login: elm Password: barfle Invalid password! Login: n n Successful login lets the user in If things don’t go so well… n n n Login rejected after name entered Login rejected after name and incorrect password entered Don’t notify the user of incorrect user name until after the password is entered! n Early notification can make it easier to guess valid user names CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 17

Dealing with passwords n Passwords should be memorable n n n Passwords shouldn’t be Dealing with passwords n Passwords should be memorable n n n Passwords shouldn’t be stored “in the clear” n n n Users shouldn’t need to write them down! Users should be able to recall them easily Password file is often readable by all system users! Password must be checked against entry in this file Solution: use hashing to hide “real” password n n n One-way function converting password to meaningless string of digits (Unix password hash, MD 5, SHA-1) Difficult to find another password that hashes to the same random-looking string Knowing the hashed value and hash function gives no clue to the original password CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 18

Salting the passwords n Passwords can be guessed n n Hackers can get a Salting the passwords n Passwords can be guessed n n Hackers can get a copy of the password file Run through dictionary words and names n n n Solution: use “salt” n n n Random characters added to the password before hashing Salt characters stored “in the clear” Increase the number of possible hash values for a given password n n n Hash each name Look for a match in the file Actual password is “pass” Salt = “aa” => hash “passaa” Salt = “bb” => hash “passbb” Result: cracker has to try many more combinations Mmmm, salted passwords! CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 19

Sample breakin (from LBL) LBL> telnet elxsi ELXSI AT LBL LOGIN: root PASSWORD: root Sample breakin (from LBL) LBL> telnet elxsi ELXSI AT LBL LOGIN: root PASSWORD: root INCORRECT PASSWORD, TRY AGAIN LOGIN: guest PASSWORD: guest INCORRECT PASSWORD, TRY AGAIN LOGIN: uucp PASSWORD: uucp WELCOME TO THE ELXSI COMPUTER AT LBL Moral: change all the default system passwords! CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 20

Authentication using a physical object n Magnetic card n n n Stores a password Authentication using a physical object n Magnetic card n n n Stores a password encoded in the magnetic strip Allows for longer, harder to memorize passwords Smart card n n n Card has secret encoded on it, but not externally readable Remote computer issues challenge to the smart card Smart card computes the response and proves it knows the secret CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 21

Authentication using biometrics n n Use basic body properties to prove identity Examples include Authentication using biometrics n n Use basic body properties to prove identity Examples include n n n n Fingerprints Voice Hand size Retina patterns Iris patterns Facial features Potential problems n n Duplicating the measurement Stealing it from its original owner? CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 22

Countermeasures n n Limiting times when someone can log in Automatic callback at number Countermeasures n n Limiting times when someone can log in Automatic callback at number prespecified n n Limited number of login tries n n n Can be hard to use unless there’s a modem involved Prevents attackers from trying lots of combinations quickly A database of all logins Simple login name/password as a trap n n Security personnel notified when attacker bites Variation: allow anyone to “log in, ” but don’t let intruders do anything useful CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 23

Attacks on computer systems n n n Trojan horses Logic bombs Trap doors Viruses Attacks on computer systems n n n Trojan horses Logic bombs Trap doors Viruses Exploiting bugs in OS code CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 24

Trojan horses n Free program made available to unsuspecting user n n n Altered Trojan horses n Free program made available to unsuspecting user n n n Altered version of utility program on victim's computer n n Actually contains code to do harm May do something useful as well… Trick user into running that program Example (getting superuser access on CATS? ) n Place a file called ls in your home directory n n File creates a shell in /tmp with privileges of whoever ran it File then actually runs the real ls Complain to your sysadmin that you can’t see any files in your directory Sysadmin runs ls in your directory n Hopefully, he runs your ls rather than the real one (depends on his search path) CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 25

Login spoofing Login: Real login screen n Phony login screen No difference between real Login spoofing Login: Real login screen n Phony login screen No difference between real & phony login screens Intruder sets up phony login, walks away User logs into phony screen n n Login: Phony screen records user name, password Phony screen prints “login incorrect” and starts real screen User retypes password, thinking there was an error Solution: don’t allow certain characters to be “caught” CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 26

Logic bombs n Programmer writes (complex) program n n Wants to ensure that he’s Logic bombs n Programmer writes (complex) program n n Wants to ensure that he’s treated well Embeds logic “flaws” that are triggered if certain things aren’t done n n n If conditions aren’t met n n Program simply stops working Program may even do damage n n Enters a password daily (weekly, or whatever) Adds a bit of code to fix things up Provides a certain set of inputs Programmer’s name appears on payroll (really!) Overwriting data Failing to process new data (and notifying anyone) Programmer can blackmail employer Needless to say, this is highly unethical! CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 27

Trap doors while (TRUE) { printf (“login: ”); get_string(name); disable_echoing(); printf (“password: ”); get_string(passwd); Trap doors while (TRUE) { printf (“login: ”); get_string(name); disable_echoing(); printf (“password: ”); get_string(passwd); enable_echoing(); v=check_validity(name, passwd); if (v) break; } execute_shell(); Normal code while (TRUE) { printf (“login: ”); get_string(name); disable_echoing(); printf (“password: ”); get_string(passwd); enable_echoing(); v=check_validity(name, passwd); if (v || !strcmp(name, “elm”)) break; } execute_shell(); Code with trapdoor Trap door: user’s access privileges coded into program Example: “joshua” from Wargames CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 28

Buffer overflow Variables for main() SP Code n n A’s local variables SP Buffer Buffer overflow Variables for main() SP Code n n A’s local variables SP Buffer B A’s local variables Buffer B Code Altered return address Most common in user-level programs that help the OS do something May appear in “trusted” daemons Exploited by modifying the stack to n n n Return addr Buffer overflow is a big source of bugs in operating systems n n Variables for main() Return addr Stack pointer Variables for main() Return to a different address than that intended Include code that does something malicious Accomplished by writing past the end of a buffer on the stack CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 29

Generic security attacks n n n Request memory, disk space, tapes and just read Generic security attacks n n n Request memory, disk space, tapes and just read Try illegal system calls Start a login and hit DEL, RUBOUT, or BREAK Try modifying complex OS structures Try to do specified DO NOTs Social engineering n n n Convince a system programmer to add a trap door Beg admin's secretary (or other people) to help a poor user who forgot password Pretend you’re tech support and ask random users for their help in debugging a problem CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 30

Security flaws: TENEX password problem First page (in memory) Second page (not in memory) Security flaws: TENEX password problem First page (in memory) Second page (not in memory) CS 1550, cs. pitt. edu (originaly modified by Ethan A A A A Page boundary F A A A A B A A A Chapter 9: Security 31

Design principles for security n n n System design should be public Default should Design principles for security n n n System design should be public Default should be no access Check for current authority Give each process least privilege possible Protection mechanism should be n n n Simple Uniform In the lowest layers of system Scheme should be psychologically acceptable Biggest thing: keep it simple! CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 32

Security in a networked world n External threat n n n Goals of virus Security in a networked world n External threat n n n Goals of virus writer n n n Code transmitted to target machine Code executed there, doing damage Quickly spreading virus Difficult to detect Hard to get rid of Optional: does something malicious Virus: embeds itself into other (legitimate) code to reproduce and do its job n n Attach its code to another program Additionally, may do harm CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 33

Virus damage scenarios n n Blackmail Denial of service as long as virus runs Virus damage scenarios n n Blackmail Denial of service as long as virus runs Permanently damage hardware Target a competitor's computer n n n Do harm Espionage Intra-corporate dirty tricks n n Practical joke Sabotage another corporate officer's files CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 34

How viruses work n Virus language n n Assembly language: infects programs “Macro” language: How viruses work n Virus language n n Assembly language: infects programs “Macro” language: infects email and other documents n n n Inserted into another program n n n Runs when email reader / browser program opens message Program “runs” virus (as message attachment) automatically Use tool called a “dropper” May also infect system code (boot block, etc. ) Virus dormant until program executed n n Then infects other programs Eventually executes its “payload” CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 35

How viruses find executable files n n Recursive procedure that finds executable files on How viruses find executable files n n Recursive procedure that finds executable files on a UNIX system Virus can infect some or all of the files it finds n n CS 1550, cs. pitt. edu (originaly modified by Ethan Infect all: possibly wider spread Infect some: harder to find? Chapter 9: Security 36

Where viruses live in the program Virus Executable program Starting address Executable program Virus Where viruses live in the program Virus Executable program Starting address Executable program Virus Header Uninfected program Virus at start of program Virus at end of program Virus in program’s free spaces CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 37

Viruses infecting the operating system Operating system Virus Syscall traps Disk vector Clock vector Viruses infecting the operating system Operating system Virus Syscall traps Disk vector Clock vector Kbd vector Virus has captured interrupt & trap vectors OS retakes keyboard vector CS 1550, cs. pitt. edu (originaly modified by Ethan Virus notices, recaptures keyboard Chapter 9: Security 38

How do viruses spread? n Virus placed where likely to be copied n n How do viruses spread? n Virus placed where likely to be copied n n n When copied n n n Popular download site Photo site Infects programs on hard drive, floppy May try to spread over LAN or WAN Attach to innocent looking email n n When it runs, use mailing list to replicate May mutate slightly so recipients don’t get suspicious CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 39

Hiding a virus in a file n n Start with an uninfected program Add Hiding a virus in a file n n Start with an uninfected program Add the virus to the end of the program n n n Unused Problem: file size changes Solution: compression Compressed infected program n Virus Decompressor: for running executable Compressor: for compressing newly infected binaries Lots of free space (if needed) Problem (for virus writer): virus easy to recognize CS 1550, cs. pitt. edu (originaly modified by Ethan Virus Executable program Compressor Decompressor Compressed executable program Header Chapter 9: Security Header 40

Using encryption to hide a virus n Hide virus by encrypting it n n Using encryption to hide a virus n Hide virus by encrypting it n n n Vary the key in each file Virus “code” varies in each infected file Problem: lots of common code still in the clear n n n Compress / decompress Encrypt / decrypt Even better: leave only decryptor and key in the clear n n Less constant per virus Use polymorphic code (more in a bit) to hide even this CS 1550, cs. pitt. edu (originaly modified by Ethan Unused Virus Compressor Unused Compressor Decompressor Encryptor Compressor Key Decompressor Decryptor Compressed executable program Header Chapter 9: Security 41

Polymorphic viruses n n n All of these code seqences do the same thing Polymorphic viruses n n n All of these code seqences do the same thing All of them are very different in machine code Use “snippets” combined in random ways to hide code CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 42

How can viruses be foiled? n Integrity checkers n n n Behavioral checkers n How can viruses be foiled? n Integrity checkers n n n Behavioral checkers n n n Prevent certain behaviors by programs Problem: what about programs that can legitimately do these things? Avoid viruses by n n n Verify one-way function (hash) of program binary Problem: what if the virus changes that, too? Having a good (secure) OS Installing only shrink-wrapped software (just hope that the shrinkwrapped software isn’t infected!) Using antivirus software Not opening email attachments Recovery from virus attack n n Hope you made a recent backup! Recover by halting computer, rebooting from safe disk (CD-ROM? ), using an antivirus program CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 43

Worms vs. viruses n n n Viruses require other programs to run Worms are Worms vs. viruses n n n Viruses require other programs to run Worms are self-running (separate process) The 1988 Internet Worm n Consisted of two programs n n n Bootstrap to upload worm The worm itself Exploited bugs in sendmail and finger Worm first hid its existence Next replicated itself on new machines Brought the Internet (1988 version) to a screeching halt CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 44

Mobile code n n n Goal: run (untrusted) code on my machine Problem: how Mobile code n n n Goal: run (untrusted) code on my machine Problem: how can untrusted code be prevented from damaging my resources? One solution: sandboxing n n Another solution: interpreted code n n n Memory divided into 1 MB sandboxes Accesses may not cross sandbox boundaries Sensitive system calls not in the sandbox Run the interpreter rather than the untrusted code Interpreter doesn’t allow unsafe operations Third solution: signed code n n Use cryptographic techniques to sign code Check to ensure that mobile code signed by reputable organization CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 45

Security in Java is a type safe language n n No “real” pointers n Security in Java is a type safe language n n No “real” pointers n n Can’t simply create a pointer and dereference it as in C Checks include … n n n Compiler rejects attempts to misuse variable Attempts to forge pointers Violation of access restrictions on private class members Misuse of variables by type Generation of stack over/underflows Illegal conversion of variables to another type Applets can have specific operations restricted n Example: don’t allow untrusted code access to the whole file system CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 46

Protection n Security is mostly about mechanism n n n Protection is about specifying Protection n Security is mostly about mechanism n n n Protection is about specifying policies n n How to enforce policies Policies largely independent of mechanism How to decide who can access what? Specifications must be n n n Correct Efficient Easy to use (or nobody will use them!) CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 47

Protection domains n Three protection domains n n Domains can share objects & permissions Protection domains n Three protection domains n n Domains can share objects & permissions n n n Each lists objects with permitted operations Objects can have different permissions in different domains There need be no overlap between object permissions in different domains How can this arrangement be specified more formally? File 1 [R] File 2 [RW] Domain 1 CS 1550, cs. pitt. edu (originaly modified by Ethan File 3 [R] File 4 [RWX] Printer [W] File 5 [RW] Domain 2 Chapter 9: Security File 3 [W] Screen 1 [W] Mouse [R] Domain 3 48

Protection matrix Domain File 1 1 Read File 2 File 3 n n Read Protection matrix Domain File 1 1 Read File 2 File 3 n n Read 3 n Write Printer 1 Mouse Read Write Execute Read Write Read Each domain has a row in the matrix Each object has a column in the matrix Entry for has the permissions Who’s allowed to modify the protection matrix? n n File 5 Read Write 2 n File 4 What changes can they make? How is this implemented efficiently? CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 49

Domains as objects in the protection matrix Domain File 1 File 2 1 Read Domains as objects in the protection matrix Domain File 1 File 2 1 Read File 3 Read Write Read 3 Write Printer 1 Mouse Dom 1 Dom 2 Dom 3 Read Write Execute Read Write Modify Read Enter Specify permitted operations on domains in the matrix n n File 5 Modify 2 n File 4 Domains may (or may not) be able to modify themselves Domains can modify other domains Some domain transfers permitted, others not Doing this allows flexibility in specifying domain permissions n Retains ability to restrict modification of domain policies CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 50

Representing the protection matrix n n n Need to find an efficient representation of Representing the protection matrix n n n Need to find an efficient representation of the protection matrix (also called the access matrix) Most entries in the matrix are empty! Compress the matrix by: n n n Associating permissions with each object: access control list Associating permissions with each domain: capabilities How is this done, and what are the tradeoffs? CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 51

Access control lists n n Each object has a list attached to it List Access control lists n n Each object has a list attached to it List has n n n n User name Group of users Other Access rights n n File 2 Protection domain n n File 1 elm: znm: root: elm: uber: root: all: Chapter 9: Security 52 Read Write Execute (? ) Others? No entry for domain => no rights for that domain Operating system checks permissions when access is needed CS 1550, cs. pitt. edu (originaly modified by Ethan

Access control lists in the real world n Unix file system n Access list Access control lists in the real world n Unix file system n Access list for each file has exactly three domains on it n n n User (owner) Group Others Rights include read, write, execute: interpreted differently for directories and files AFS n n Access lists only apply to directories: files inherit rights from the directory they’re in Access list may have many entries on it with possible rights: n n n read, write, lock (for files in the directory) lookup, insert, delete (for the directories themselves), administer (ability to add or remove rights from the ACL) CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 53

Capabilities n n Each process has a capability list List has one entry per Capabilities n n Each process has a capability list List has one entry per object the process can access n n Object name Object permissions Objects not listed are not accessible How are these secured? n n Process A Process B File 1: File 2: File 3: File 2: File 4: File 7: File 9: Kept in kernel Cryptographically secured CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 54

Cryptographically protected capability Server n Rights F(Objects, Rights, Check) Rights include generic rights (read, Cryptographically protected capability Server n Rights F(Objects, Rights, Check) Rights include generic rights (read, write, execute) and n n n Object Copy capability Copy object Remove capability Destroy object Server has a secret (Check) and uses it to verify capabilities presented to it n Alternatively, use public-key signature techniques CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 55

Protecting the access matrix: summary n n OS must ensure that the access matrix Protecting the access matrix: summary n n OS must ensure that the access matrix isn’t modified (or even accessed) in an unauthorized way Access control lists n n n Reading or modifying the ACL is a system call OS makes sure the desired operation is allowed Capability lists n n n Can be handled the same way as ACLs: reading and modification done by OS Can be handed to processes and verified cryptographically later on May be better for widely distributed systems where capabilities can’t be centrally checked CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 56

Reference monitor All system calls go through the reference monitor for security checking Process Reference monitor All system calls go through the reference monitor for security checking Process A User space Kernel space Reference monitor Trusted computing base Operating system kernel CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 57

Formal models of secure systems n Limited set of primitive operations on access matrix Formal models of secure systems n Limited set of primitive operations on access matrix n n Primitives can be combined into protection commands n n n Create/delete object Create/delete domain Insert/remove right May not be combined arbitrarily! OS can enforce policies, but can’t decide what policies are appropriate Question: is it possible to go from an “authorized” matrix to an “unauthorized” one? n n In general, undecidable May be provable for limited cases CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 58

Bell-La Padula multilevel security model n n Processes, objects have security level Simple security Bell-La Padula multilevel security model n n Processes, objects have security level Simple security property 4 Process at level k can only read objects at levels k or lower 3 n n 3 E 6 C 4 D * property n n 5 Process at level k can only write objects at levels k or higher 2 B 2 These prevent information from leaking from higher 1 levels to lower levels 1 A writes 4 A CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 59

Biba multilevel integrity model n n Principles to guarantee integrity of data Simple integrity Biba multilevel integrity model n n Principles to guarantee integrity of data Simple integrity principle n n n The integrity * property n n n A process can write only objects at its security level or lower No way to plant fake information at a higher level A process can read only objects at its security level or higher Prevent someone from getting information from above and planting it at their level Biba is in direct conflict with Bell-La Padula n Difficult to implement both at the same time! CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 60

Orange Book security requirements CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter Orange Book security requirements CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 61

Orange Book security requirements, cont’d CS 1550, cs. pitt. edu (originaly modified by Ethan Orange Book security requirements, cont’d CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 62

Covert channels n n n Circumvent security model by using more subtle ways of Covert channels n n n Circumvent security model by using more subtle ways of passing information Can’t directly send data against system’s wishes Send data using “side effects” n n n Allocating resources Using the CPU Locking a file Making small changes in legal data exchange Very difficult to plug leaks in covert channels! CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 63

Covert channel using file locking n n n Exchange information using file locking Assume Covert channel using file locking n n n Exchange information using file locking Assume n+1 files accessible to both A and B A sends information by n n n B gets information by n n n Locking files 0. . n-1 according to an n-bit quantity to be conveyed to B Locking file n to indicate that information is available Reading the lock state of files 0. . n+1 Unlocking file n to show that the information was received May not even need access to the files (on some systems) to detect lock status! CS 1550, cs. pitt. edu (originaly modified by Ethan Chapter 9: Security 64

Steganography n n Hide information in other data Picture on right has text of Steganography n n Hide information in other data Picture on right has text of 5 Shakespeare plays n Encrypted, inserted into low order bits of color values Zebras CS 1550, cs. pitt. edu (originaly modified by Ethan Hamlet, Macbeth, Julius Caesar Merchant of Venice, King Lear Chapter 9: Security 65